You are viewing a plain text version of this content. The canonical link for it is here.

Posted to log4j-dev@logging.apache.org by "Matt Sicker (JIRA)" <ji...@apache.org> on 2014/04/15 09:11:34 UTC

[jira] [Resolved] (LOG4J2-605) NoSQL appender logging password in clear text.

     [ https://issues.apache.org/jira/browse/LOG4J2-605?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matt Sicker resolved LOG4J2-605.
--------------------------------

       Resolution: Fixed
    Fix Version/s: 2.0-rc2
         Assignee: Matt Sicker

Fixed in r1587457 (trunk).

> NoSQL appender logging password in clear text.
> ----------------------------------------------
>
>                 Key: LOG4J2-605
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-605
>             Project: Log4j 2
>          Issue Type: Bug
>          Components: Appenders
>    Affects Versions: 2.0-rc1
>            Reporter: Poorna Subhash P
>            Assignee: Matt Sicker
>            Priority: Critical
>             Fix For: 2.0-rc2
>
>
> When using Mongo NoSQL appender and enabled configuration status =debug, the mongodb password is logged in clear text. Following is sample log statement.
> 2014-04-15 11:29:52,008 DEBUG Calling createNoSQLProvider on class org.apache.logging.log4j.core.appender.db.nosql.mongodb.MongoDBProvider for element MongoDb with params(collectionName="log4j", writeConcernConstant="null", writeConcernConstantClass="null", databaseName="logdb", server="localhost", port="27017", username="user", password="pw", factoryClassName="null", factoryMethodName="null").
> However, in below statement it gives passwordhash.
> 2014-04-15 11:29:52,476 DEBUG Calling createAppender on class org.apache.logging.log4j.core.appender.db.nosql.NoSQLAppender for element NoSql with params(name="mongo", ignoreExceptions="null", null, bufferSize="null", MongoDb(mongoDb{ database=logdb, server=localhost, port=270171, username=user, passwordHash=4834821b7ecd2e7b7c571c0488189821 }))
> 2014-04-15 11:29:52,477 DEBUG Starting NoSQLDatabaseManager noSqlManager{ description=mongo, bufferSize=0, provider=mongoDb{ database=logdb, server=localhost, port=27017, username=user, passwordHash=4834821b7ecd2e7b7c571c0488189821 } }
> Either the first statement has to be removed (or) change to print passwordhash.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org